Added accessor flag to token-revoke CLI
This commit is contained in:
parent
266af2a5e2
commit
0486fa1a3a
|
@ -110,6 +110,19 @@ func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
|
|||
return ParseSecret(resp.Body)
|
||||
}
|
||||
|
||||
// RevokeAccessor revokes a token associated with the given accessor
|
||||
// along with all the child tokens.
|
||||
func (c *TokenAuth) RevokeAccessor(accessor string) error {
|
||||
r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor/"+accessor)
|
||||
resp, err := c.c.RawRequest(r)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// RevokeOrphan revokes a token without revoking the tree underneath it (so
|
||||
// child tokens are orphaned rather than revoked)
|
||||
func (c *TokenAuth) RevokeOrphan(token string) error {
|
||||
|
@ -136,18 +149,6 @@ func (c *TokenAuth) RevokePrefix(token string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
// RevokeSelf revokes the token making the call
|
||||
func (c *TokenAuth) RevokeSelf() error {
|
||||
r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")
|
||||
resp, err := c.c.RawRequest(r)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// RevokeTree is the "normal" revoke operation that revokes the given token and
|
||||
// the entire tree underneath -- all of its child tokens, their child tokens,
|
||||
// etc.
|
||||
|
|
|
@ -76,12 +76,12 @@ func (c *TokenLookupCommand) Synopsis() string {
|
|||
|
||||
func (c *TokenLookupCommand) Help() string {
|
||||
helpText := `
|
||||
Usage: vault token-lookup [options] [token]
|
||||
Usage: vault token-lookup [options] [token|accessor]
|
||||
|
||||
Displays information about the specified token. If no token is specified,
|
||||
the operation is performed on the currently authenticated token i.e. lookup-self.
|
||||
Information about the token can also be retrieved using the token accessor
|
||||
by setting the '-accessor' flag.
|
||||
Displays information about the specified token. If no token is specified, the
|
||||
operation is performed on the currently authenticated token i.e. lookup-self.
|
||||
Information about the token can be retrieved using the token accessor via the
|
||||
'-accessor' flag.
|
||||
|
||||
General Options:
|
||||
|
||||
|
|
|
@ -12,7 +12,9 @@ type TokenRevokeCommand struct {
|
|||
|
||||
func (c *TokenRevokeCommand) Run(args []string) int {
|
||||
var mode string
|
||||
var accessor bool
|
||||
flags := c.Meta.FlagSet("token-revoke", FlagSetDefault)
|
||||
flags.BoolVar(&accessor, "accessor", false, "")
|
||||
flags.StringVar(&mode, "mode", "", "")
|
||||
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
||||
if err := flags.Parse(args); err != nil {
|
||||
|
@ -37,16 +39,21 @@ func (c *TokenRevokeCommand) Run(args []string) int {
|
|||
}
|
||||
|
||||
var fn func(string) error
|
||||
switch mode {
|
||||
case "":
|
||||
// Handle all 6 possible combinations
|
||||
switch {
|
||||
case !accessor && mode == "":
|
||||
fn = client.Auth().Token().RevokeTree
|
||||
case "orphan":
|
||||
case !accessor && mode == "orphan":
|
||||
fn = client.Auth().Token().RevokeOrphan
|
||||
case "path":
|
||||
case !accessor && mode == "path":
|
||||
fn = client.Auth().Token().RevokePrefix
|
||||
default:
|
||||
c.Ui.Error(fmt.Sprintf(
|
||||
"Unknown revocation mode: %s", mode))
|
||||
case accessor && mode == "":
|
||||
fn = client.Auth().Token().RevokeAccessor
|
||||
case accessor && mode == "orphan":
|
||||
c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")
|
||||
return 1
|
||||
case accessor && mode == "path":
|
||||
c.Ui.Error("token-revoke cannot be run for 'path' mode when 'accessor' flag is set")
|
||||
return 1
|
||||
}
|
||||
|
||||
|
@ -66,7 +73,7 @@ func (c *TokenRevokeCommand) Synopsis() string {
|
|||
|
||||
func (c *TokenRevokeCommand) Help() string {
|
||||
helpText := `
|
||||
Usage: vault token-revoke [options] token
|
||||
Usage: vault token-revoke [options] [token|accessor]
|
||||
|
||||
Revoke one or more auth tokens.
|
||||
|
||||
|
@ -86,12 +93,23 @@ Usage: vault token-revoke [options] token
|
|||
prefix will be deleted, along with all their children. In this case
|
||||
the "token" arg above is actually a "path".
|
||||
|
||||
Token can be revoked using the token accessor. This can be done by
|
||||
setting the '-accessor' flag. Note that when '-accessor' flag is set,
|
||||
'-mode' should not be set for 'orphan' or 'path'. This is because,
|
||||
a token accessor always revokes the token along with it's child tokens.
|
||||
|
||||
General Options:
|
||||
|
||||
` + generalOptionsUsage() + `
|
||||
|
||||
Token Options:
|
||||
|
||||
-accessor A boolean flag, if set, treats the argument as an accessor of the token.
|
||||
Note that accessor can also be used for looking up the token properties
|
||||
via '/auth/token/lookup-accessor/<accessor>' endpoint.
|
||||
Accessor is used when there is no access to token ID.
|
||||
|
||||
|
||||
-mode=value The type of revocation to do. See the documentation
|
||||
above for more information.
|
||||
|
||||
|
|
Loading…
Reference in New Issue